The concerns are believed to focus on a court's definition of what constitutes "personal data" in Michael Durant's landmark case against the UK's Financial Services Authority and subsequent guidance on the case from the UK's Information Commissioner. But "personal data" is not the only problem.
Jonathan Todd, European Commission Spokesman on the Internal Market, told OUT-LAW yesterday:
"I can confirm that the Commission has sent a letter of formal notice to the UK Government about the conformity of several aspects of the 1998 Data Protection Law with the EU data protection Directive of 1995."
The detail of the letter – which is said to run to 20 pages – has not been made public by the European Commission: it is for the UK Government to decide whether or not to make it public.
However, OUT-LAW understands that the failure of the UK Government to guarantee the right of access to personal data is likely to be a strong feature of the letter. Other concerns appear to include insufficient controls on international transfers of data and a lack of investigative powers given to the Commissioner.
Todd's comments came as UK Information Commissioner Richard Thomas presented his latest Annual Report. Mr Thomas was asked by OUT-LAW if he had seen the letter. He indicated that he had seen a draft, but not the final version. He also said that he was largely satisfied with the definition of "personal data" in the UK Act as interpreted by the Court of Appeal.
The Durant case changed the UK's interpretation of "personal data" by placing greater focus on the content of personal data being about the individual concerned. The Commission apparently considers this to be inconsistent with the 1995 Directive because personal data in the Directive has a broader construction and applies to that recorded personal information which directly or indirectly relates to an individual.
A source familiar with the letter told OUT-LAW: "Neither the court in Durant, nor subsequent guidance from the Information Commissioner, is appropriate."
The source stated as an example that where a Data Protection Act violation is identified: under the UK's 1998 legislation, the Information Commissioner can only issue an Enforcement Notice to the Data Controller. If the Controller complies with that notice, there can be no economic sanction to punish the initial breach. The European Commission thinks there should be such a sanction.
The possible need for additional powers is something that OUT-LAW put to Richard Thomas in June 2003.
When asked in an interview for OUT-LAW Magazine if there are any powers he would like that he does not have, Mr Thomas replied that he was "not entirely satisfied with" the procedure for responding to a request for an assessment, which only allows him to give "what you might call a statutory opinion as to whether or not there has been compliance."
"I'm very conscious," said Mr Thomas, "that from the point of view of the individual who is aggrieved and comes to us, even if we give such an opinion that there has been non-compliance, that may not be terribly satisfactory. We have no powers to award compensation."
That interview took place six months before the Durant ruling.
Dr Chris Pounder, editor of Data Protection and Privacy Practice, a newsletter published by Masons, the law firm behind OUT-LAW, said at the time that the Durant decision was "based on faulty reasoning". He warned that it could result in the UK's legislation "being found to be an inadequate implementation of the Data Protection Directive of 1995."
Commenting on yesterday's statement from the European Commission, Dr Pounder added:
"It is obvious from the Commission's approach that they already had a number of concerns with the UK's data protection laws. I suspect the Durant case was the straw that broke the camel's back and led to their formal approach to the UK Government."
The letter is "a formal request for information," according to Todd. "In the light of the UK's reply, the Commission will decide whether or not it considers the UK law is in conformity or not, and whether or not to request the UK Government to amend its legislation," he added.
Ultimately, the European Commission could take the UK Government to court in Luxembourg.
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.